Bug 1142176 - Kerberos ticket is not renewed properly and BIND later deadlocks
Summary: Kerberos ticket is not renewed properly and BIND later deadlocks
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: bind-dyndb-ldap
Version: 6.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Petr Spacek
QA Contact: Namita Soman
URL:
Whiteboard:
Keywords:
Depends On: 1142150
Blocks: 1142152
TreeView+ depends on / blocked
 
Reported: 2014-09-16 09:59 UTC by Arpit Tolani
Modified: 2015-07-22 05:39 UTC (History)
7 users (show)

(edit)
The bind-dyndb-ldap library incorrectly compared current time and the expiration time of the Kerberos ticket used for authentication to an LDAP server. As a consequence, the Kerberos ticket was not renewed under certain circumstances, which caused the connection to the LDAP server to fail. The connection failure often happened after a BIND service reload was triggered by the logrotate utility. A patch has been applied to fix this bug, and Kerberos tickets are correctly renewed in this scenario.
Clone Of: 1142150
(edit)
Last Closed: 2015-07-22 05:39:02 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1259 normal SHIPPED_LIVE bind-dyndb-ldap bug fix update 2015-07-20 17:49:53 UTC

Description Arpit Tolani 2014-09-16 09:59:12 UTC
+++ This bug was initially created as a clone of Bug #1142150 +++

Description of problem:
bind hangs after reload/GSSAPI Error: The referenced context has expired (Success)

 After a while (about once in a week) the bind daemon is in the state hang/zombie. The bind daemon seems to be present and accept requests from the clients, but is not answering any dns requests. Only killing the process with kill -9 can stop the daemon. After starting bind again, it works fine, until the problem occurs again.

Version-Release number of selected component (if applicable):
bind-9.9.4-14.el7.x86_64

How reproducible:
Everytime Logrotates runs. 

Steps to Reproduce:
1. Configure IPA server with DNS
2. Wait till logrotate starts rotating. 

Additional info:
It is related to https://fedorahosted.org/bind-dyndb-ldap/ticket/131

--- Additional comment from Tomas Hozza on 2014-09-16 05:54:04 EDT ---

Thank you for your report.

I already discussed this issue with Petr Spacek and it should be pretty easy to fix it. It is an error in the dyndb patch adding API for bind-dyndb-ldap.

I'll talk to QA guys and try to get it into 7.1.

Comment 1 Petr Spacek 2014-09-16 10:11:45 UTC
This problem is caused by two separate bugs: This one and bug 1142152. We need to fix both to completely solve the issue.

Comment 3 Petr Spacek 2014-09-16 17:30:02 UTC
There is nothing private in this bug. Publicizing.

Comment 4 Petr Spacek 2014-09-16 18:37:02 UTC
This problem is already fixed upstream, see commit https://fedorahosted.org/bind-dyndb-ldap/changeset/80f7663f309c0d0b9cb89ed8f8b38301b207360d/ .

Comment 6 Kaleem 2015-05-19 13:33:31 UTC
Verified.

bind-dyndb-ldap version:
========================
bind-dyndb-ldap-2.3-7.el6.x86_64

snip from automation log:
=========================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz1142176: Kerberos ticket is not renewed properly and BIND later deadlocks
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password xxxxxxxx was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
:: [   PASS   ] :: Adding a test dns A record (Expected 0, got 0)
:: [   PASS   ] :: Looking up for test record using dig (Expected 0, got 0)
:: [   PASS   ] :: Changing time one day ahead so lograte can happen (Expected 0, got 0)
:: [   PASS   ] :: Running logrotate forcefully (Expected 0, got 0)
:: [   LOG    ] :: logrotate ran successfully
:: [   PASS   ] :: Command 'ls -la /var/log/message*' (Expected 0, got 0)
:: [   PASS   ] :: Looking up for test record using dig after log rotate (Expected 0, got 0)
:: [   PASS   ] :: Resetting the date (Expected 0, got 0)
:: [   PASS   ] :: Deleting the test record (Expected 0, got 0)
:: [   PASS   ] :: Deleting generated log files (Expected 0, got 0)
:: [   LOG    ] :: Duration: 14s
:: [   LOG    ] :: Assertions: 10 good, 0 bad
:: [   PASS   ] :: RESULT: bz1142176: Kerberos ticket is not renewed properly and BIND later deadlocks

Comment 7 Petr Spacek 2015-05-20 05:29:59 UTC
Hello Kaleem,

please double-check that logrotate actually ran command 'rndc reload' (instead of 'service named restart'). I want to be 100 % sure that the bug was fixed properly. Thank you!

Comment 8 Kaleem 2015-05-21 06:33:09 UTC
(In reply to Petr Spacek from comment #7)
> Hello Kaleem,
> 
> please double-check that logrotate actually ran command 'rndc reload'
> (instead of 'service named restart'). I want to be 100 % sure that the bug
> was fixed properly. Thank you!

As we have figured out that logroate runs "named reload" which calls up "rndc reload" also, so i have added a check for "named reload" in automation code.

:: [   LOG    ] :: bz1142176: Kerberos ticket is not renewed properly and BIND later deadlocks
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password xxxxxxxx was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
:: [   PASS   ] :: Adding a test dns A record (Expected 0, got 0)
:: [   PASS   ] :: Looking up for test record using dig (Expected 0, got 0)
:: [   PASS   ] :: Changing time one day ahead so lograte can happen (Expected 0, got 0)
:: [   PASS   ] :: Command 'sleep 60' (Expected 0, got 0)
:: [   PASS   ] :: clearing the /var/log/messages file (Expected 0, got 0)
:: [   PASS   ] :: Command 'sleep 60' (Expected 0, got 0)
:: [   PASS   ] :: Running logrotate forcefully (Expected 0, got 0)
:: [   PASS   ] :: Command 'sleep 60' (Expected 0, got 0)
:: [   LOG    ] :: logrotate ran successfully
:: [   PASS   ] :: Command 'ls -la /var/log/message*' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/messages-20150521' should contain 'reloading zones succeeded' 
:: [   PASS   ] :: Looking up for test record using dig after log rotate (Expected 0, got 0)
:: [   PASS   ] :: Resetting the date (Expected 0, got 0)
:: [   PASS   ] :: Deleting the test record (Expected 0, got 0)
:: [   PASS   ] :: Deleting generated log files (Expected 0, got 0)
:: [   LOG    ] :: Duration: 3m 9s
:: [   LOG    ] :: Assertions: 15 good, 0 bad
:: [   PASS   ] :: RESULT: bz1142176: Kerberos ticket is not renewed properly and BIND later deadlocks

Comment 10 errata-xmlrpc 2015-07-22 05:39:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1259.html


Note You need to log in before you can comment on or make changes to this bug.